The Hacker News — Cyber Security, Hacking, Technology News

The increasing public attention of Bitcoin did not go unnoticed by Cyber Criminals who have begun unleashing Bitcoin Mining malware.

Security researchers at Malwarebytes warned about a new malware threat, in which Bitcoin Miners are bundled with third party potentially unwanted programs (PUPs) that come bundled with legitimate applications.

Malware allow cybercriminals to utilize systems' computing resources for their own gain. "This type of system hijacking is just another way for advertising based software to exploit a user into getting even more cash."

The malware is found to be using ‘jhProtominer’ a popular mining software that runs via the command line, to abuse the CPUs and GPUs of infected computers to generate Bitcoins.

Upon further investigation Malwarebytes found that the parent of the Bitcoin miner was “monitor.exe”, a part of YourFreeProxy application, which “beacons out constantly, waiting for commands from a remote server, eventually downloading the miner and installing it on the system.”

However, it seems that the company behind the application has a specific clause 3 in the EULA that talks about mathematical calculations similar to the Bitcoin mining operation. This means that the company behind the software can and will install Bitcoin miners and use system resources to perform operations as required to mine Bitcoins and keep the rewards for themselves.

The growing presence of Bitcoin-mining malware reinforced the increasing popularity of the currency. Cyber Criminals always try to find new ways to monetize their malicious activities. Bitcoin generation allows them to do just that.

To be safe, we highly recommend you use a professional Antivirus solution able to find and safely remove malware from your system. Safe computing habits can help prevent system infection and Bitcoin mining, so do not download and install applications from unknown sites.

Today Vodafone Iceland was hacked by the Turkish group of hackers Maxn3y (@AgentCoOfficial) who in the past has stolen data from airports' systems, electronic giants and fast food company.

The hackers announced via Twitter that he has successfully compromised Vodafone Iceland server and defaced the official website (Vodafone.is), including various other sub-domains including the company mobile site.

The hackers disclosed a compressed 61.7MB rar file which is locked with password TURKISH and that contains a collection of files including one titled users.sql that appears to contain the 77,000 user accounts.

The file includes user names, social security numbers, encrypted passwords as many other encrypted information. The portal CyberWarNews posted the list of files disclosed and provided information on their content.

Google’s Nexus Smartphones are vulnerable to SMS-based DOS attack, where an attacker can force it to restart, freeze, or lose network connection by sending a large number of special SMS messages to them.

The vulnerability, discovered by Bogdan Alecu, a system administrator at Dutch IT services company Levi9, and affects all Android 4.x firmware versions on Google Galaxy Nexus, Nexus 4 and Nexus 5.

The problem is with how the phones handle a special type of text message, known as a flash SMS. By sending around 30 Flash SMS (Flash SMS is a type of message that normally is not stored by the system and does not trigger any audio alerts) messages to Nexus phone an attacker can cause the phone to malfunction.

He presented the vulnerability on Friday at the DefCamp security conference in Bucharest, Romania. In an email exchange with me, he said 'I was testing different message types and for the class 0 messages I noticed that the popup being displayed also adds an extra layer which makes the background darker." "Then my first thought was: what happens if I send more such messages? Will it make the entire background go black? If so, wouldn't this cause a memory leak? The answer is "Yes" for both of the questions. So, basically, by sending around 30 Class 0 messages, it will make the Google device behave strangely'."

According to the researcher, several possible outcomes can result from the overloading:

It will either say that the Messaging application has stopped

Cause a reboot - this is what happens in most of the cases

Make only the Radio (mobile network communication) app restart, but then the device will no longer be able to use mobile data (it can not connect to the APN)

Android devices, by default, offer no easy way for users to send Flash messages, though there are several apps available to do so.

Alecu says that he discovered the issue more than a year ago and he contacted Google and was told back in July that the issue would be addressed in Android 4.3, though that proved not to be the case.

But now Google is aware of the situation, and says that it’s investigating things. Until the fix from Google lands, users can use the free Class0Firewall app to prevent such situations.

A Symantec researcher has discovered a new Linux worm, targeting machine-to-machine devices, and exploits a PHP vulnerability (CVE-2012-1823) to propagate that has been patched as far back as May 2012.

Linux worm, which has been dubbed Linux.Darlloz, poses a threat to devices such as home routers and set-top boxes, Security Cameras, and even industrial control systems. It is based on proof-of-concept code released in late October and it helps spread malware by exploiting a vulnerability inphp-cgi.

"Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target." the Symantec researchers explained.

The malware does not appear to perform any malicious activity other than silently spreading itself and wiping a load of system files.

So far the malware variant targets x86 systems, because the malicious binary downloaded from the attacker's server is in ELF (Executable and Linkable Format) format for Intel architectures.

However, the Symantec researchers claim the attacker also hosts variants of the worm for other architectures including ARM, PPC, MIPS and MIPSEL.

No attacks have been reported in the wild, but warned that most users would not realize they were at risk as they would be unaware that their own devices ran on Linux.

To protect their devices from the worm, users are advised to update their software to the latest version, make device passwords stronger and block incoming HTTP POST requests to the -/cgi-bin/php* paths.

The Hacker group tweeted from the TIME's official account, "Syrian Electronic Army Was Here via @Official_SEA16..Next time write a better word about the Syrian president #SEA" with their logo, as shown above.

TIME Magazine is currently hosting polls for Who Should Be TIME’s Person of the Year? and on their website the Syrian President Bashar al-Assadis described as, "Syria’s ruler presided over a bloody year, shrugging off international concerns over the use of chemical weapons as the death toll of his country’s civil war eclipsed 100,000."

How they have hacked into TIME's account is not yet clear, but the group is famous for using advanced phishing attacks to conduct high profile hacks.

The TIME's tweet was deleted by TIME's staff just after 10 minutes of the hack. In a separate tweet on their own twitter handle, the hackers said, "We think Bashar al-Assad should be @TIME's Person of the Year." So far Syrian president is at 7th number with 2.7% votes only.

The Syrian Electronic Army is an organized hacking group loyal to the Syrian President Bashar al-Assad and known for their high profile cyber attacks.

This year Syrian Electronic Army hackers were able to disrupt the New York Times web page multiple times, Twitter, CNN, the Huffington Post and Global Post and many more targets. Stay tuned to 'The Hacker News' for more updates on the story.

Update: TIME Person of the Year poll is over. The hacker group also temporarily closed polling after hack.

Skype has been targeted by cyber criminals again this week. Users are receiving a new Spam Email with subject “You received a new message from the Skype voice mail service.”, that actually leads to Zeus Malware.

Zeus is a Trojan horse that attempts to steal confidential information from the compromised computer. It specifically targets system information, online credentials, and banking details, but can be customized through the toolkit to gather any sort of information.

The email is sent from the spoofed address “Skype Communications” and seems to be genuine, it has similar body content and the official Skype logo that usually comes with a legitimate Skype voice mail alerts.

“This is an automated email, please don’t reply. Voice Message Notification. You received a new message from the Skype voice mail service.” the email reads. The fraudsters have also tried to make the emails look genuine by adding real links back to the Skype website.

According to MX Lab, the attached file (151 kB) is a variant of the Zeus Trojan:

Researchers at FireEye have discovered a new privilege escalation vulnerability in Windows XP and Windows Server 2003.

CVE-2013-5065, Local privilege escalation vulnerability is used in-the-wild in conjunction with an Adobe Reader exploit (CVE-2013-3346) that appears to target a patched vulnerability.

Microsoft has issued an advisory and warned that discovered bug in Windows XP's NDPROXY.SYS driver could allow hackers to run code in the system's kernel from a standard user account.

The exploit could allow a standard user account to execute code in the kernel, which may allow an attacker to gain privileges that would enable him to do various activities, including deleting or viewing data, installing programs, or creating accounts with administrative privileges.

"Our investigation of this vulnerability has verified that it does not affect customers who are using operating systems newer than Windows XP and Windows Server 2003," Microsoft advised.

Last April, Microsoft announced that they will discontinue its support of Windows XP by April 2014, mean XP users will no longer receive security updates provided by Microsoft.

Users are advised to upgrade their system with latest Adobe Reader software and also upgrade to Microsoft Windows 7 or higher version.

Ruby on Rails contains a flaw in its design that may allow attackers to more easily access applications. Websites that rely on Ruby on Rails’s default cookie storage mechanismCookieStore are at risk.

The vulnerability was actually reported two months ago, but still thousands of website are running a vulnerable version of Ruby on Rails that allows a malicious attacker to gain unauthorized access again and again without password, if someone manages to steal users' cookies via via cross site scripting or session sidejacking or with physical access.

More than 10,000 websites are vulnerable to Ruby on Rails's cookie storage mechanism flaw, but this vulnerability requires your user's session cookies to be compromised in the first place.

Security researcher G.S. McNamara provided the details of the vulnerability in a blog post , he analyzed nearly 90,000 sites running specialized scripts and discovered 1,897 sites based on old versions of Ruby on Rails (version 2.0 to version 4.0) that stores users’ cookie data in plain text.

Another concerning issues related to the site analyzed is the lack, or wrong use, for SSL that allows communication eavesdropping.

The surprising fact that large companies such as crowdsourcing site Kickstarter.com, Paper.li, Simfy, Ask.fm and Audioboo, Warner Bros. are also vulnerable to this flaw.

Ruby on Rails implemented cookies encryption by default from version 4.0. The purpose of an encrypted, signed cookie is to make sure someone can't forge a cookie to impersonate someone else, but the cookie management still exposes users at risk of attacks.

“Version 4.0 and beyond still have this problem,” “The attacker could save the encrypted cookie and send it to the server to log in as the victim without having to read the contents of the cookie.”

“The encryption does not protect against reusing the cookie after logout,” wrote McNamara.

This means that despite cookies are encrypted hacker could steal them to log-in to target vulnerable website that permit an attacker to reuse old session credentials or session IDs for the authorization process. The flaw is known as "Insufficient Session Expiration" and it is a serious issue for website management.

"Many of the websites and tools we use to store the session hash on the client side, including the applications Redmine, Zendesk, and Spiceworks."

How to discover is a website is using an older version of Ruby on Rails using CookieStore cookie-based storage mechanism?

According McNamara it is quite simple, an attacker simply has to search for the string “Bah7” at the beginning of the value of the cookies, A SHODAN search for this code will reveal tens of thousands of these vulnerable websites.

Leaking your cookies equals to giving people a temporary password to your accounts. NcNamara already requested to Rails developers to switch to a different cookie storage mechanism to fix the vulnerability, storing for example session information on the server side.

The breaking news is that, another Bitcoin exchange company gets hacked i.e. BIPS (bips.me), one of the largest European Danish Bitcoin payment processors.

On Friday evening, a bunch of cyber criminals just broke into BIPs -Bitcoin payment processor servers and wiped out around 1,295 Bitcoin from people’s wallets, currently worth $1 Million. More than 22,000 consumer wallets have been compromised and BIPS will be contacting the affected users.

Initially on 15th November, Hackers launched Distributed Denial of Service (DDoS) attack on BIPS, originate from Russia and neighboring countries and then hackers attacked again on 17th November. This time somehow they got access to several online Bitcoin wallets, which allowed them to steal the 1,295 BTC.

"As a consequence Bips will temporarily close down the wallet initiative to focus on real-time merchant processing business which does not include storing of Bitcoins." company says.

"All existing users will be asked to transfer bitcoins to other wallet solutions" said Mr.Henriksen, BIPs founder. Even after the robbery, he told his customers, "Web Wallets are like a regular wallet that you carry cash in and not meant to keep large amounts in".

Two most important moments in the history of Bitcoin are : Its creation by Satoshi Nakamoto, and the burst of The Silk Road's Founder Ross William Ulbricht. The silk Road’s black market was a Bitcoin economy.

According to a report published by two Israeli computer scientists, Ross William Ulbricht, aka Dread Pirate Roberts, may be financially linked to Satoshi Nakamoto.

Even if the Bitcoin buyers and sellers remained anonymous, but the transactions themselves are public, So the scientists were able to trace the interactions.

The Scientists, Ron and Shamir were exploring the connection between the operator of Silk Road who was recently arrested by the FBI for running the Internet blackmarket Silk Road and the entity that invented the bitcoin.

The bitcoin network was established in 2008 and it has been popularly believed that the first accounts in the early days of the bitcoin were of Satoshi Nakamoto, accumulated some 77,600 BTC as a result of 'mining' Bitcoins. The person who can generate 77,600 from mining in the first week of Bitcoin birth should be definitely its creator.

The Scientists discovered that the transfer of 1,000 Bitcoin was made just a week after the bitcoin network launched into an account controlled by Ulbricht from the same initial account, believed to be of the bitcoin currency inventor. However, the researchers could not prove that the said account really belonged to him or not.

When the Silk Road operator Ross William Ulbricht was arrested in October, he had more than USD 1.2 Billion from Sales and USD 80 Million from the commission.

Researchers believe that the commissions seized by the FBI comprised only 22% of the total while they themselves have also been able to track only a third of the said commissions. Possibly, the FBI had not recovered all Ulbricht’s bitcoin might be that he was using a second computer that has not been located.

Nakamoto’s real identity has never been uncovered despite attempts to figure out who has the cryptography and mathematical skills to create such a system.

No Surprise, even if Nakamoto and Ulbricht might be the same person... Just a thought.

Users in Iran call Internet as "Filternet", because of the heavily censored Internet access they have. Million Iranians used VPN servers to access the outside world.

In October, 2013 Jack Dorsey, the co-founder of Twitter asked Iranian President, 'Are citizens of Iran able to read your tweets?' In Reply Mr. The President said that he will work to make sure Iranians have access to information globally in what appears to be a reference to reducing online censorship.

Just after promising to support Internet Freedom, the Iran Government has banned yet another web application called - Cryptocat, a tool that allows for secure and encrypted chat.

The app is well known for bringing encrypted communications to the masses, popular with human rights activists and journalists around the world.

According to 'Blockediniran.com', Cryptocat website and the associated private chat service were inaccessible to our users in Iran. Currently since Monday.

'It currently appears that Cryptocat is the first and only encrypted chat application to be censored in Iran.' blog post says.

'Cryptocat’s main objective is to provide easy to use, accessible private chat around the world. We will do everything we can to allow our users in Iran access to Cryptocat, along with the rest of the world.'

But Iranian users still can use Cryptocat. The team provided their chat service via the Tor network on a hidden deep web website 'catmeow2zuqpkpyw.onion' , can be accessed using Tor software only.

'We’re doing the best we can, and we believe that Cryptocat offers legitimate privacy by employing impressive encryption measures.'

Possibly, The Cryptocat service was used by some political groups, that the Iranian government was targeting. Other such encrypted apps are still working and not banned yet in Iran. Cryptocat is available for Mac, as well as a plugin for Chrome and Firefox, now includes the Tor censorship circumvention technology built-in.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

The NSA has the ability to trace “anyone, anywhere, anytime”. In September we reported that how NSA and GCHQ planted malware via LinkedIn and Slashdot traffic to hack largest telecom company Belgacom's Engineers.

According to the newly exposed slide, NSA has infected more than 50,000 computer networks worldwide with software designed to steal sensitive information i.e. Malware.

The slide from the NSA's 2012 management presentation, shows a world map with more than 50,000 targeted locations, uses a procedure called ‘Computer Network Exploitation’ (CNE) that can secretly install malware in computer systems. The malware can be controlled remotely and be turned on and off at will.

From the NSA website we found that, CNE includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks.

"Cyberwar is a very real threat and could cause widespread problems. That is why the National Security Agency needs to be prepared by Computer Science professionals who are highly-skilled in Computer Network Operations." The website says.

To perform such offensive attacks via CNE operations, NSA has employed more than a thousand hackers under a special unit called TAO (Tailored Access Operations). Countries targeted by the CNE hackers unit includes China, Russia, Venezuela and Brazil.

Many Counties now have their own Cyber units - including China and Dutch, but their actions are prohibited by law. Officially they cannot perform operations as the NSA and GCHQ can do.

The CryptoLocker Malware continues to spread, infected more than 12,000 U.S computers in one week and threatening millions of computers in the UK.

Just last week, The UK National Crime Agency urge people afflicted by CryptoLocker not to pay ransom, not least because there is no guarantee that they will even receive an unlock key.

Not even Police departments are immune to CryptoLocker. In November second week, Massachusetts' Swansea Police Department paid a 2 Bitcoin ($750 that time) ransom to decrypt images and Word documents encrypted by CryptoLocker ransomware.

"It gave us 100 hours to pay and it was literally a timer," said Police Department. "A big red screen comes up with a timer that says you have 100 hours to pay or your files will be encrypted forever."

Malware usually distributed through spam emails, encrypting the user's files on the infected machine and also the local network it is attached to. However, Police Department said the virus did not affect the software that the police use in reports or booking.

Security experts also commented that "The only reason this type of attack success is because people are willing to pay up. If no one ever paid, there would be no ransomware.” But will they also not pay ransom for their very important files, if encrypted by malware ? Definitely everyone will, as the Police have to. Other attackers are also moving in this direction as well.

There are many other ways, following that you can protect your system from CryptoLocker before infection. Ensure you have best one active and up-to-date and if a computer becomes infected it should immediately be disconnected from any networks.

Facebook is one of the most powerful and reliable social networking website. It allows users to interact with other users after being friends with one another. Facebook allows users to make the friend list public or private. If it is made private, your friend list won't appear on your publicly viewable profile.

Irene Abezgauz, a security researcher from the Quotium Seeker Research Center has found a vulnerability in Facebook website that allows anyone to see a users’ friends list, even when the user has set that information to private.

v

The exploit is carried out by abusing the 'People You May Know' feature on Facebook, which suggests new friends to users. It suggests friends to you based on mutual connections and other criteria such as work or education information.

This Hack is really very simple! All a hacker would have to do would be to create a fake Facebook profile and then send a friend request to their target.

Even if the targeted user never accepted the request, the hacker could see that person’s friends via the “People You May Know” feature.

But Facebook said that that a hacker would have no way of knowing if the suggested friends represented a user’s entire list.

She explained and replied the Facebook,“I could see hundreds of suggestions. So, you know what, it’s not all of them. It’s 80 percent, so what. There’s a reason why I made my friends list private and I don’t want people from the internet just looking at who my friends are.”

For now, Facebook hasn't recognized the her finding, but we hope that they will take users' privacy seriously by considering it again to patch the issue.

Update: Mohamed Ahmed, a Security expert from Sudan had reported the exact same flaw to The Hacker News team, back in the month of June. He also had reported to the Facebook team, but according to him they even didn't reply him yet.

Oren Hafif, a security researcher has discovered a critical vulnerability in the Password reset process of Google account that allows an attacker to hijack any account.

He managed to trick Google users into handing over their passwords via a simple spear-phishing attack by leveraging a number of flaws i.e. Cross-site request forgery (CSRF), and cross-site scripting (XSS), and a flow bypass.

In a proof of concept video demonstration, the attacker sends his victim a fake “Confirm account ownership” email, claiming to come from Google.

The link mention in the mail instructs the recipient to confirm the ownership of the account and urged user to change their password.

The link from the email apparently points to a HTTPS google.com URL, but it actually leads the victim to the attacker’s website because of CSRF attack with a customized email address.

The Google HTTPS page will will ask the victim to confirm the ownership by entering his last password and then will ask to reset your password.

But in actuality the hacker has grabbed your new password and cookie information using an XSS attack at this step.

Video demonstration:

Hafif informed the Google Security engineers with the details of this serious security vulnerability and Google has now addressed the issues. Google has rewarded Mr. Hafif with $5,100 under their Bug Bounty Program.

Dubbed 'i2Ninja', malware has most of the features found in other financial malware including the ability to perform HTML injections and form grabbing in Internet Explorer, Firefox and Chrome. i2Ninja can also steal FTP and e-mail credentials. It also has a PokerGrabber module feature that targets poker sites.

The traffic between the malware and the command server cannot be easily blocked by intrusion prevention systems or firewalls because it’s encrypted and transmitting over the Invisible Internet Project (I2P).

I2P communication can make it much harder for security researchers to find and take down those servers and the malware also offers buyers a proxy for anonymous Internet browsing, promising complete online anonymity.

Another unique feature of this malware is that it comes with an integrated help desk ticketing system. "A potential buyer can communicate with the authors / support team, open tickets and get answers - all while enjoying the security and anonymity provided by I2P's encrypted messaging nature," Trusteer says.

The few other malware also has such marketed support i.e. Citadel and the Neosploit Exploit Pack. It’s not known if i2Ninja is already being used to infect computers.

With increasing black market activity and the release of various malware source code, we expect to see a new malware variants and new underground offering in 2014, they say.

He was living in Cambodia last year but was later arrested and deported to Sweden. Currently he is serving a one-year sentence in Sweden for hacking into the computer systems of contractors working for the national tax authority. His extradition will take place on 27th November.

The motivation for the hacks remains unknown, but the police say it can’t be ruled out that changes were made to the records. There are, however, no indications that any of the downloaded files have been exploited.

Even, The Pirate Bay may no longer be safe to use. It is no longer in the hands of the original owners. An Anonymous activist tweeted last week, "The Pirate Bay is now a rogue torrent site. Tell your friends to stop using it." and following screenshot of the chat conversation between him and another Cofounder of Pirate Bay - Peter Sunde.

Previously Gottfrid has appealed to the Swedish government to stop his extradition, arguing that he had not actually carried it out any hacking attack and Danish hacker attack may have been traced to his computer.

That was not the first time he had maintained his innocence on hacking charges, saying somebody else had used his computer remotely. He was also convicted of hacking into the Nordea bank, but because it was not practically possible to prove that he had illegally gained access to Nordea's mainframe, so court cut his prison sentence to one year only.

This time, If convicted in Denmark, Svartholm Warg could face a six-year jail sentence.

Takashi Katsuki, a researcher at Antivirus firm Symantec has discovered a new cyber attack ongoing in the wild, targeting an open-source Web server application server Apache Tomcat with a cross platform Java based backdoor that can be used to attack other machines.

The malware, dubbed as "Java.Tomdep" differs from other server malware and is not written in the PHP scripting language. It is basically a Java based backdoor act as Java Servlet that gives Apache Tomcat platforms malicious capabilities.

Because Java is a cross platform language, the affected platforms include Linux, Mac OS X, Solaris, and most supported versions of Windows. The malware was detected less than a month ago and so far the number of infected machines appears to be low.

You may think that this type of attack only targets personal computers, such as desktops and laptops, but unfortunately that isn’t true. Servers can also be attacked. They are quite valuable targets, since they are usually high-performance computers and run 24x7.

Java worm seeks out for the system having Apache Tomcat installed-running and then attempts to log-in using the password brute-force attack using combinations of user names and passwords.

After installation, the malware servlet behaves like an IRC Bot and able to receive commands from an attacker. Malware is capable of sending-downloading files from the system, create new processes, update itself, can setup SOCKS proxy, UDP flooding i.e. Can perform massive DDoS Attack.

They have mentioned that the command-and-control servers have been traced to Taiwan and Luxembourg. In order to avoid this threat, ensure that your server and AV products are fully patched and updated.

Popular source code repository serviceGitHub has recently been hit by a massive Password Brute-Force attack that successfully compromised some accounts,

GitHub has urged users to set up two-factor authentication for their accounts and has already reset passwords for compromised accounts.

“We sent an email to users with compromised accounts letting them know what to do,”

“Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked.”

However, GitHub uses the bcrypt algorithm to hash the passwords, which is extremely resilient against brute force attacks because it takes an inordinate amount of time to encrypt each password.

In a blog post, GitHub engineer Shawn Davenport said that a brute force attack from around 40,000 IP addresses revealed some commonly used passwords. These addresses were used to slowly brute force weak passwords.

In addition to normal strength requirements like length or character requirements, they have banned frequently used weak passwords on the site and had "aggressively" rate-limited login attempts.

"This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information."

The exact number of compromised GitHub accounts was not disclosed but now GitHub’s sign-up page says passwords need to be at least seven characters long and have at least one lowercase letter and one numeral.

So, Always choose a good password that will be hard to crack i.e. Use a mix of numbers, letters and non-dictionary words and You should choose separate, unique passwords for each account or service.

Cyber security of many organizations being attacked at an extremely high rate this month, well another alarming cyber crime report become public today.

A widely unpatched and two years old critical vulnerability in JBoss Application Server (AS) that enable an attacker to remotely get a shell on a vulnerable web server.

JBoss Application Server is an open-source Java EE-based application server very popular, it was designed by JBoss, now a division of Red Hat. In late 2012, JBoss AS was named as "wildFly", since disclosure of the exploit code many products running the affected JBoss Application Server have been impacted, including some security software.

Tens of thousands of enterprise data center servers are vulnerable to this attack, with at least 500 actively compromised, according to the Imperva report. Many systems administrators have yet to properly configure their servers to mitigate the threat, and the number of potential targets has increased over time, making the exploit even more attractive to attackers.

The number of infections has surged since exploit code called pwn.jsp was publicly disclosed i.e. October 4th. pwn.jsp shell isn't the unique exploit available, Imperva’s Barry Shteiman confirmed the availability of another more sophisticated shell available to attackers.

“In these cases, the attackers had used the JspSpy web shell which includes a richer User Interface, enabling the attackers to easily browse through the infected files and databases, connect with a remote command and control server and other modern malware capabilities,”

A number of Government and Education related websites have been hacked, exploiting the JBoss Application Server vulnerability, where an attacker can obtain a remote shell access on the target system to inject code into a website hosted on the server or steal files stored on the machine.

"The vulnerability allows an attacker to abuse the management interface of the JBoss AS in order to deploy additional functionality into the web server. Once the attackers deploy that additional functionality, they gain full control over the exploited JBoss infrastructure, and therefore the site powered by that Application Server."

On Sept. 16th, the National Vulnerability Database issued an advisory warning of a critical remote code execution bug affecting HP ProCurve Manager, it's assigned to the flaw the Common Vulnerability Enumeration code CVE-2013-4810 and on October 4th 2013, a security researcher has disclosed the code of an exploit for the JBoss Application Server vulnerability.

As consequence the security community had witnessed a surge in Jboss AS hacking, the malicious traffic originated from the compromised servers was detected by Imperva’s honey pots.

In a few weeks an exploit was added to exploit-db that successfully gained shell against a product running JBoss 4.0.5.

Imperva confirmed that the number of web servers running Jboss Application Server exposing management interfaces has tripled since the initial vulnerability research was public disclosed passing from 7,000 to 23,000.

I have just run the following Google Dork retrieving more than 17000 results:

It is possible to note that Google reconnaissance enables the attacker to identify also governmental and educational websites, some of them also result infected.

"Many of the deployed web shells utilize the original pwn.jsp shell code that was presented with the original exploit, as can be seen in a blog entry posted by one of the attack’s victims. In other cases a more powerful web shell was deployed. In these cases, the attackers had used the JspSpy web shell which includes a richer User Interface, enabling the attackers to easily browse through the infected files and databases, connect with a remote command and control server and other modern malware capabilities."

The concerning aspect of the story is that once again on a two-year-old vulnerability could be easily exploited to compromise a huge quantity of information, the situation is analogue to the Silverlight flaw that manages users of Netflix, the provider of on-demand Internet streaming media.

Now your TV is also watching you, and is smart enough to spy on you. A UK blogger, developer and Linux enthusiast, known only as DoctorBeet has discovered that LG's smart TVs are sending personal information back to the company's servers about what channels you watch and viewing habits.

Actually, LG conducts the data collection for its Smart Ad function, which advertisers can use to see when it is best to target their products at the most suitable audience.

After inspecting the outgoing traffic from his smart TV, DoctorBeet noticed that a unique device ID, along with the TV channel name was being transmitted each time he changed channels.

His investigation also indicated that the TVs uploaded information about the contents of devices attached to the TV. He also claims that the data being sent is unencrypted.

To demonstrate this, I created a mock avi file and copied it to a USB stick.

An option exists in the TV settings to turn off this collection, however DoctorBeet notes that it does nothing. LG's privacy policy doesn't give LG customers any way to opt out of this data collection.

If you do not want us to share your personally identifiable information in this manner, please do not provide us with this information.

He mentioned that the URL the TV was sending the information to was not live, but LG could turn it on tomorrow.

LG's privacy policy states that LG collects personally identifiable information including names, emails, physical addresses and company names and also non-personally identifiable information such as IP addresses and product information.

A spokesperson for LG told Engadget: We're looking into this now. We take these claims very seriously and are currently investigating the situation at numerous local levels since our Smart TVs differ in features and functions from one market to another. We work hard to get privacy right and have made this our top priority.

CryptoLockeris an especially insidious form of Ransomeware malware that was first detected in the wild in September 2013, restricts access to infected computers and requires victims to pay a ransom in order to regain full access.

What makes CryptoLocker so bad is the way it encrypts the user data on your hard drive using a strong encryption method. This makes it literally impossible to access your own data without paying the ransom amount to the criminals between $100 and $300 or two Bitcoins, even now more.

Once affected you will be locked out of your computer and unless you pay the ransom amount in 72 hours , the virus will delete the decryption key to decrypt all the files on your PC .

The malware lands on PCs the same way other malware does and a few sensible precautions will help minimize the chances of a CrytoLocker attack.

What if your computer gets compromised? Currently there is no option to decrypt the files without the decryption key and brute forcing a file encrypted with 2048 bit encryption is almost impossible. If you don’t pay the ransom, you forever lose access to everything you’ve been working on which is stored on your computer.

A few things you can do to prevent your PC from getting infected with the CryptoLocker virus:

Most viruses are introduced by opening infected attachments or clicking on links to malware usually contained in spam emails. Avoid opening emails and attachments from unknown sources, especially zip or rar archive files.

Most people have some anti-virus program, but how do you know it’s effective? Ensure you have best one active and up-to-date.

Also keep your operating system and software up-to-date.

Keep a backup. If you have a real-time backup software then make sure that you first clean the computer and then restore the unencrypted version of the files.

Create files in the Cloud and upload photos to online accounts like Flickr or Picasa.

Windows 7 users should set up the System Restore points or, if you are using Windows 8, configure it to keep the file history.

Make sure you have reformatted your hard drive to completely remove the CryptoLocker trojan before you attempt to re-install Windows and/or restore your files from a backup.

There are many free tools now available in the community, that can help users to protect their systems from this malware.

1.) CryptoPrevent tool, created by American security expert Nick Shaw.

This tool applies a number of settings to your installation of Windows that prevents CryptoLocker from ever executing and has been proven to work in Windows XP and Windows 7 environments.

2.) HitmanPro.Alert 2.5, a free utility that will help you to protect your computer against the CryptoLocker ransomware malware.

HitmanPro.Alert 2.5 contains a new feature, called CryptoGuard that monitors your file system for suspicious operations. When suspicious behavior is detected, the malicious code is neutralized and your files remain safe from harm.

Intrusion prevention systems can block the communications protocol send from the Cryptolocker infected system to the remote command-and-control server where the malware retrieves the key to encrypt the files. Blocking the communications can prevent the encryption from taking place.